The most secure method would be a DMZ domain, and poke holes in firewall between IBCM server and site server. When we were investigating, however, we found that most people would avoid that method because of all the work required on the firewall and to support the new domain.
In our research, the most common deployment we found we using SSL bridging through a device like an F5 BIG-IP or a Microsoft TMG. This lets your gateway device (F5, TMG, or whatever) do packet and cert inspection, and the internet clients never actually connect directly to the internal SCCM server. Microsoft also supports SSL reverse proxy, but then you are letting internet client traffic land directly on your internal SCCM server. That was a bit more risk than we were willing to stomach, but it is a supported config. DA is still the best route, though. Kenneth Merenda From: [email protected] [mailto:[email protected]] On Behalf Of Sean Pomeroy Sent: Wednesday, April 29, 2015 2:33 PM To: [email protected] Subject: Re: [mssms] SCCM 2012 R2 IBCM The primary reason is SUP, with inventory and software deployment a very close second. And we do deploy all applications to users, not devices. On Wed, Apr 29, 2015 at 3:32 PM Sean Pomeroy <[email protected]<mailto:[email protected]>> wrote: As of right now, DA is not on the table. On Wed, Apr 29, 2015 at 12:42 PM Kent, Mark <[email protected]<mailto:[email protected]>> wrote: Same here, DA is great. Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Roland Janus Sent: Wednesday, April 29, 2015 12:28 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] SCCM 2012 R2 IBCM If you have any chance of looking into Direct Access, then don’t bother with IBCM. We just did a proof of concept of DA in a lab env. 6 hours and it worked. Given the pre-requisites done before. DA is amazing From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sean Pomeroy Sent: Mittwoch, 29. April 2015 16:49 To: [email protected]<mailto:[email protected]> Subject: [mssms] SCCM 2012 R2 IBCM How is everyone doing IBCM? We tried to leverage our netscalers, but they do not allow offloading and verifying the certificate and security won't allow a tunnel without inspection. We do not currently have a domain in our DMZ, it seems that is the next route we are going to go down. However, security will not allow a trust between the two domains. Now that MS has sunsetted TMG, what other options is everyone using/considering? Thanks, Sean
